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Abstract 

The workflow satisfiability problem (WSP) asks whether there exists an assign¬ 
ment of authorized users to the steps in a workflow specification that satisfies the 
constraints in the specification. The problem is NP-hard in general, but several 
subclasses of the problem are known to be fixed-parameter tractable (FPT) when 
parameterized by the number of steps in the specification. In this paper, we consider 
the WSP with user-independent counting constraints, a large class of constraints for 
which the WSP is known to be FPT. We describe an efficient implementation of an 
FPT algorithm for solving this subclass of the WSP and an experimental evaluation 
of this algorithm. The algorithm iteratively generates all equivalence classes of pos¬ 
sible partial solutions until, whenever possible, it finds a complete solution to the 
problem. We also provide a reduction from a WSP instance to a pseudo-Boolean 
SAT instance. We apply this reduction to the instances used in our experiments and 
solve the resulting PB SAT problems using SAT4J, a PB SAT solver. We compare 
the performance of our algorithm with that of SAT4J and discuss which of the two 
approaches would be more effective in practice. 

Keywords: Workflow satisflability problem (WSP); fixed-parameter tractability (FPT); 
algorithm engineering; reduction to the pseudo-Boolean SAT problem; user-independent 
constraints 


1 Introduction 

It is increasingly common for organizations to computerize their business and management 
processes. The co-ordination of the steps that comprise a computerized business process is 
managed by a workflow management system. Typically, the execution of these steps will 
be triggered by a human user, or a software agent acting under the control of a human 
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user, and the execution of each step will be restricted to some set of authorized users or 
agents. In addition, one may wish to constrain the users who execute certain sets of steps, 
even if authorized. We may, for example, require that two particular steps are executed 
by two different users, in order to enforce some separation-of-duty requirement; or by the 
same user, to respect a binding-of-duty requirement. 

We model a workflow as follows. We have a set of steps S, each of which must be 
performed by some user in a set U of users. We restrict the users that can perform each 
step with a set of authorization lists, A = {v 4 ('u) : u E U}, where A{u) C S denotes the set 
of steps that user u is authorized to perform. Furthermore we must also satisfy a set C 
of (business) constraints. In general, a constraint can be described as a pair c = (T, 0 ), 
where T C S' and 0 is a set of functions from T to U: T is the scope of the constraint and 
0 specihes those assignments of steps in T to users in U that satisfy the constraint. 

Given a workflow W = (S', U, A,C), W is said to be satisfiable if there exists a function 
71 : S ^ U such that 

1 . for all s G S', s G zl( 7 r(s)) (each step is allocated to an authorized user); 

2 . for all (T, 0 ) G C, 7 i\t G 0 (every constraint is satished). 

Such a function tt : S' —)■ G is called a valid complete plan. Evidently, it is possible to specify 
a workflow that is not satishable. Hence, it is important to be able to determine whether 
a workflow is satishable or not. This is called the workflow satisfiability problem (WSP). 
This problem has been studied extensively in the security research community mum 
and more recently as an interesting algorithmic problem mm- 

As an example, consider the following instance of the WSP introoduced in [ 7 ]. 

Instance 1. The task set S = {si,..., S 4 } and the user set U = {ui ,..., uq). The autho¬ 
rization lists are as follows (where a tick indicates that the given user is authorized for the 
given task): 



Ml 

U2 

U3 

M4 

Ms 

Me 

Si 

✓ 

✓ 





S2 


✓ 

✓ 




S3 


✓ 


✓ 

✓ 

✓ 

S4 


✓ 


✓ 

✓ 

✓ 


The constraints are (si,S2,=), (§2, S3, 7^), (53,54,7^), and (54,54,7^), where {si,Sj,=) 
means that Si and Sj must be assigned to the same user and means that Si and 

Sj must be assigned to different users. 

A function tt : T ^ Y, where T C S' and H C f/, is called a partial plan. A partial plan 
TT is authorized if s G A( 7 r(s)) for every s G T. A partial plan vr is eligible if it does not 
violate any constraint in C, and vr is valid if it is both authorized and eligible. In other 
words, a valid partial plan could, in principle, be extended to a valid complete plan. 

Example [T] illustrates the meanings of eligible, complete and authorised plans in the 
context of Instance [H 

Example 1 . The following table gives assignments for four plans, vti, 7r2, tts, 7r4.- 
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Si 

S2 

S3 

S4 

Authorized 

Eligible 

Complete 

TTl 

Ul 

U2 

U4 

U5 

✓ 


✓ 

T^2 

Ui 

Ul 

U4 

U5 


✓ 

✓ 

TTs 

Ul 

- 

U4 

U5 

✓ 

✓ 


774 

U2 

U2 

U4 

U5 

✓ 

✓ 

✓ 


• Til is a complete plan which is authorized but not eligible, as Si and S 2 are assigned 
to different users. 

• 712 is a complete plan which is eligible but not authorized, as ui is not authorized for 
S2- 

• 7T3 is a plan which is authorized and eligible, and therefore valid. However, tts is not 
a complete plan as there is no assignment for S2. 

• 714 ^ is a complete plan which is eligible and authorized. Thus 714 is a valid complete 
plan, and is therefore a solution. 

The WSP is known to be NP-hard [22] in general: it is easily shown to be NP-hard even 
if restricted to simple separation-of-duty constraints. Wang and Li [22] observed that, in 
practice, the number k of steps is usually signihcantly smaller than the number n of users 
and, thus, suggested parameterizing the WSP by the number of steps k. Also, they showed 
that, in general, the WSP is W[l]-hard, but is fixed-parameter tractable (FPT) for certain 
classes of constraints. In other words, for some classes of constraints, the WSP can be 
solved in time 0*{f{k)), where / is an arbitrary function of k only, and O* suppresses not 
only constants, but also polynomial factors. Such algorithms are called FPT. For further 
terminology on parameterized algorithms and complexity, see monographs [muttH]. 

Since the problem is intractable in its generality and covers a vast number of different 
types of constraints, it is natural to restrict attention to some WSP subclasses dehned 
by the types and properties of constraints. Many business rules are not concerned with 
the identities of the users that complete a set of steps. Accordingly, we say a constraint 
c = (T, 0) is user-independent if, whenever 6* G 0 and 0 : 17 —?• t/ is a permutation, then 
(fO G 0. In other words, given a plan tt that satishes c and any permutation f : U ^ U, 
the plan 71' : S ^ U, where vr'(s) = 0(7r(s)), also satishes c. 

The most obvious example of a user-independent constraint is the requirement that two 
steps are performed by different users or, in other words, by exactly two users (separation- 
of-duty). A more complex example might require that at least/at most/exactly r users 
are required to complete some sensitive set of steps (cardinality or counting constraints), 
where r is usually small, normally less than 5. A constraint that a particular user u has 
to perform at least three steps, is not user-independent. 

There is a substantial literature on constraints as a method for specifying and enforcing 
business rules (see iia. for example), including work by researchers at SAP and IBM (see 
[21 E3], for example). The most widely studied constraints are counting and separation- 
of-duty constraints, which form part of the ANSI standard on role-based access control 
(RBAC) [1], developed by the US National Institute of Standards and Technology (NIST). 
In short, the literature and relevant standards suggest that user-independent constraints are 
the constraints of most interest in business processing and workhow management systems. 
In particular, all the constraints dehned in the ANSI RBAC standard are user-independent. 
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1.1 FPT results and analysis 

One of the motivations for this research was to show that the generic FPT algorithm of 
Cohen et al. [7] is not merely of theoretical interest. The gap between traditional “pen- 
and-paper” algorithmics and actually implemented computer-feasible algorithms can be 
enormous [51 El- In this paper, we demonstrate that the generic FPT algorithm of [7] has 
practical value and its implementations are able to outperform the well-known PB SAT 
solver SAT4J |16j . 

Crampton et al. [10] extended the FPT classes of [22] and obtained more efficient 
algorithms than in |22|. Recently, Cohen et al. [7] described a new generic algorithm 
to solve some classes of the WSP. In particular, they proved that their generic algorithm 
is FPT for the WSP restricted to the class of user-independent constraints. Almost all 
constraints studied in [101 [22] and other papers are user-independent. Since separation-of- 
duty constraints are user-independent, the WSP restricted to the class of user-independent 
constraints remains NP-hard |22j . 

In this paper we present two different approaches to solve the WSP with user-independent 
counting constraints, describe their implementations, and compare their experimental out¬ 
comes. First, we describe an adaptation of the general FPT algorithm of [7] to the 
case of the WSP with user-independent constraints and develop its implementation in 
the case of counting constraints. We then describe a reduction of WSP instances with 
user-independent counting constraints to a pseudo-Boolean (PB) SAT problem and prove 
its correctness. This solution approach is similar to the one presented in [22] • In this 
approach, a PB SAT solver is used as a black box solver for our WSP instances. 

We compare the performance of the two approaches in a set of computational exper¬ 
iments. While Wang and Li [22] provided experimental evaluation for their reduction to 
PB SAT, they did not provide any experimental evaluation for their FPT algorithm for the 
WSP. Our paper therefore represents the hrst experimental evaluation of an FPT algorithm 
designed specihcally for the WSP. 

Our results show that for more challenging well-constrained WSP instances, the FPT 
algorithm of [7] is more effective and efficient than the reduction to a PB SAT problem. 
In fact, the PB SAT solver (SAT4J) was unable to solve several WSP instances, usually 
because of excessive memory requirements. On the other hand, for lightly-constrained 
WSP instances, the PB SAT solver usually outperforms our implementations of the FPT 
algorithm. 

1.2 Paper organization 

The paper is organized as follows. In Section [^ we describe our generic FPT algorithm 
and, in Section we describe and discuss its implementation. In Section [^ we describe 
how the family of WSP instances we consider can be formulated as a pseudo-Boolean SAT 
problem. Section describes test experiments which we have conducted with synthetic 
data to compare our implementations of the FPT algorithm to SAT4J. Finally, Section]^ 
provides conclusions and discusses plans for future work. 

The main differences between this paper and the preliminary version [6] are as follows. 
In Sections the generic algorithm for solving user-independent constraints is described. 
In Section its implementation for counting constraints is explained, with a formal proof 
in Theorem that some users can be skipped during the iteration of the algorithm. A 
new heuristic speed-up for the FPT algorithm using pairs of intersecting constraints is 
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described in Subsection |3.3[ We have also conducted a new set of experimental tests, using 
a new 


implementation of the FPT algorithm (Section]^. 


2 Generic FPT algorithm for the WSP 

In this section we describe how the FPT algorithm of [7j works in the WSP case with 
user-independent constraints. As mentioned above, one of the distinctive features of the 
WSP is that the number k = [S'! of steps is significantly smaller than the number n = \U\ 
of users, which allows us to design efficient FPT algorithms using A; as a parameter. The 
algorithm presented here iteratively considers users one-by-one and gradually generates 
all possible partial solutions, where two solutions are treated as identical if they satisfy a 
certain equivalence relation, defined below. The algorithm continues until it hnds a valid 
complete plan, or all the users have been considered. Before we give an overview of the 
algorithm, we introduce some dehnitions. 

For user-independent constraints, two partial plans n : T ^ Y and n' : T' ^ Y' are 
equivalent, denoted hj n ^ tt', if and only if T = T', and for all s,t E T, 7r(s) = 7 i{t) if 
and only if 7r'(s) = 7r'(t). In other words, equivalent partial plans tt and vr' both assign 
the same steps T and a set of steps is assigned to a single user by tt if and only if vr' also 
assigns those steps to a single (possibly different) user. 

Without loss of generality, we may assume the set of steps S is ordered as Si,..., s*,. 
Each equivalence class L of partial plans corresponds to a unique pattern p, which is a 
unique encoding of that class. More precisely, the encoding p = Enc(L) of an equivalence 
class L of partial plans for is given by p = (T, (xi,... ,Xk)), where for any plan tt G L, 
we have that n : T ^ Y for some Y Y U, and for each i E [k]: 

1 if i = 1 and Si G T, 

Xj if 7r(sj) = 7r(sj) and j < i, 

^max {xi ,..., Xi-i} + 1 otherwise. 

The vector (xi,... ,Xk) is called a min-vector, representing a partition of the steps in T 
such that each block in the partition is assigned to a single user and each block is assigned 
to a different user. 

We will also write p = Enc(7r) to represent the fact that p is the pattern of tt, i.e. 
p = Enc(L), where L is the equivalence class containing the plan tt. A pattern p is 
authorized {eligible, valid, respectively) if there is a plan vr which is authorized (eligible, 
valid, respectively) for which p = Enc(7r). 

For our FPT algorithm, we require efficient algorithms for searching and inserting 
elements into a set of patterns. Cohen et al. have shown that such algorithms exist 
for user-independent constraints, essentially because this set of patterns admits a natural 
lexicographic ordering. 

2.1 Algorithm for the WSP with user-independent constraints 

The pseudo-code in Algorithm presents an adaptation of the generic FPT algorithm 
of [7j to the WSP case with user-independent constraints. The pseudo-code omits some 
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details concerning heuristics we use to speed up the running time. We give details of these 
heuristics in Section HI 

The algorithm considers users one at a time, in some order mi, ... The order of 
users may be changed dynamically - that is, after processing user i, we may change the 
ordering of users Wj+i,... We do this in order to move to a possible solution more 
efficiently by restricting the search space of currently valid patterns. The details of the 
dynamic ordering are given in Section 3.5 As well as prioritising some users by moving 


them to earlier in the order, we identify some users (called the useless users) which we may 
assume perform no steps at all, and therefore do not need to be processed. The details 
about useless users are given in Section |3.4[ 

As we process the users, we produce a set If of potential partial solutions and a set 
P of encodings of these solutions. More precisely: after processing user Ui, the set If is a 
set of valid partial plans which only assign steps to users from {mi, ... ,Ui}. The set P is 
the set of encodings of plans in If, and for each p ^ P there is exactly one plan vr^ G If 
such that p = Enc( 7 rp). For any valid partial plan tt that assigns steps only to users from 
{mi, ..., Ui}, there exists p E P such that p = Enc( 7 r). Thus, P is a set of encodings of all 
valid partial plans with user set contained in {ui,... ,Ui}. 

At each iteration, having processed users ui,.. .Ui, we try to assign to the next user 
Mj+i a set T' of steps unassigned by an existing valid plan in If, in order to obtain a new 
valid partial plan. The new user Wj+i must be authorized for each step in T'. At the same 
time as we construct the new plan, we calculate its pattern. If the resulting plan is eligible 
(and therefore, valid at this stage), and if its pattern is not already in P, we add the plan 
to n and its pattern to P. If the resulting plan covers all steps in S, we have a solution to 
the WSP instance. 

The overall complexity of the algorithm is determined by k, n, and the number Wi of 
patterns (equivalence classes of ~) considered by the algorithm for a pair {Ui,T), where 
Ui = {til,..., Ui} is the set of the first i users in iteration, i = 1,... ,n, T P S. We define 
the diversity of the equivalence relation with respect to an order of users Mi, ..., to be 
w = maxi<i<nWi- Theorem 1 in asserts that our algorithm has run-time 0*{3^wlogw). 
Thus, when w is a function of k only, we have an FPT algorithm. For user-independent 
constraints, w ^ m, where is the kth Bell number, and o(i)) [ 3 ]. 


3 Implementing the FPT algorithm 

We provide more details of our implementation of Algorithm 1 below. For our experiments, 
we use not-equals, at-most-r, and at-least-r constraints. A not-equals constraint {s,t, 7 ^) is 
specihed by a pair of steps s and t; a plan tt satishes the constraint (s, t, 7 ^) if 7 r(s) 7 ^ Ti{t). An 
at-most-r constraint may be represented as a tuple (r, Q, ^), where Q C S' and 1 ^ r ^ |Q|, 
and is satisfied by any plan that allocates no more than r users in total to the steps in 
Q. An at-least-r constraint may be represented as (r, Q, and is satisfied by any plan 
that allocates at least r users to the steps in Q. Note that these at-most and at-least 
constraints impose “confidentiality” and “diversity” requirements on the workflow, which 
can be important in a business environment. 

Our implementation therefore includes some heuristics specifically designed for these 
constraints. In this section we describe the main ideas used for implementing the FPT 
algorithm, and heuristic speed-ups that have been introduced to make implementations 
competitive with and more efficient than SAT4J on the reduction to the PB SAT problem 
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gorithm 1: 


FPT algorithm for the WSP with user-independent counting con- 


nput; Instance of WSP 

)utput: SATISFIABLE and a valid plan, or UNSATISFIABLE. 
egin 

Initialize the set 11 of plans with the trivial plan tt : 0 —>■ 0; 
Initialize the set P of patterns with the zero-pattern (0, (0,..., 0)); 


If possible, derive new constraints from given constraints (e.g., see Section 3.3); 
foreach u eU do 
Initialize 11.^ = 0; 

Initialize Pu = 0; 

Preprocess constraints (see Section 3.1); 
foreach pattern p = (T, (xi,..., Xk)) in P do 
Tu t— A(u) \ T ; 
foreach 0 7 ^ T' C do 

Let Tip be a plan with pattern p in B; 
tt' TTp U (T' —)■ u); 

Preprocess constraints (see Section 3.1); 

Che ck whet her vr' is eligible and propagate constraints (see Sections 
and 

then 


3.2 

if TT' IS 

if T U T' = ^ then 


& 

eligible 


retnrn SATISFIABLE and tt'; 


else 

Compute the pattern p' for vr'; 
p' ^ P L) Pu then 
Add tt' to n„; 

Add p' to Pu] 

end 
end 
end 
end 
end 

if IIu = 0 then 

foreach u' such that A{u') C A{u) do 


U U \ {«'} (Remove useless users, see Section 3.4); 

end 
else 

n ^ n u n„; 

P P U Pu] 

end 

Choose a user for the next iteration (see Section 

end 

retnrn UNSATISFIABLE; 


3.5); 


nd 
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of Theorem Note that only the heuristics referred to in lines |8, 14 and [T^ are specihc 
to not-equals, at-most-r, and at-least-r constraints. Without these heuristics, Algorithm 1 
becomes a generic algorithm for any user-independent constraints. 


3.1 Preprocessing and eligibility checking 

Not-equals and at-least-r constraints are preprocessed in the outer loop on a per-user basis 
in line only at-least-r constraints containing some steps authorized to the current user 
and not-equals constraints with both steps authorized to the current user are passed into 
the inner loops for eligibility checking and propagation. At-least-r constraints are also 


preprocessed per-pattern to guarantee their efficient checking in the inner loop (line 14): 


only at-least-r constraints containing steps from T' are chosen to be used for eligibility 
checking. At-most-r constraints are not preprocessed, but checked directly for violation 


and propagated in combination with not-equals constraints as explained later (line 15). 

Much of the work of the implementation of the algorithm is done in hne[^ we consider 
a plan vTp with a given valid pattern p and test whether its authorized extension (by the 
assignment of steps in T' to user u) is eligible. Line 10 guarantees that we deal only with 
authorized plans. In computational experiments, at-most-r and not-equals constraints 
reject a much larger proportion of candidates for a valid plan than at-least-r constraints. 
In other words, they are much easier to violate than at-least-r constraints. Since not-equals 
constraints are preprocessed per-user for efficient checking, and at-most-r constraints are 
not preprocessed but used for propagation and more efficient dynamic iteration by users, 
the constraints are checked in the following order: (1) not-equals constraints; (2) at-most-r 
constraints; (3) at-least-r constraints. At the same time as we check at-most-r constraints, 
we also propagate at-most-r constraints and pairs of intersecting at-most-r constraints; see 
the next two sections. The pattern for the extended valid plan is computed and added to 
the set Pu of extended patterns in line 20 Results by Cohen et ah [7] assert that these 
subroutines can be performed efficiently. 


3.2 Constraint propagation 

After checking that a partial plan tt U (T' —)■ u) does not violate at-most-r constraints 


directly, we propagate information (line 15) about the current state of any at-most-r con¬ 
straint as follows. 

Suppose £ steps in a constraint c = (r, Q, have been assigned to r — 1 distinct users 
in TT U (T' —?• m), and i < \c\ — 2. Then the remaining q = \c\ — £ > 2 steps in Q must be 
assigned to a single user. If there is no remaining user u" authorized for all q unassigned 
steps in Q, we discard the partial plan vr U (T' —)■ u) and its pattern. 

Similarly, if any pair of the q unassigned steps in Q is the scope of some not-equals 
constraint, we discard the partial plan and its pattern. On the other hand, if such a user 
u" authorized for all the unassigned steps in an at-most-r constraint c is found, it is called 
useful and may be given priority to be used in the next iteration. Pairs of intersecting 
at-most-r constraints are also propagated at this time; see the next section. 


3.3 Propagating pairs of intersecting at-most-r constraints 

The latest implementations of the algorithm propagate information about pairs of inter¬ 
secting at-most-r constraints - that is, pairs of constraints with overlapping sets of steps 









(earlier implementations considered only pairs of at-most-r constraints intersecting in at 
least two steps). In line before starting the iteration, pairs of intersecting at-most-r 
constraints are recorded separately, with one of the common steps marked. The pairs are 


propagated during line 1^ when the marked common step is unassigned. In this case, we 
need to find at least one user u" authorized for all unassigned steps in both constraints 
compising the pair as follows. 

Suppose Cl = (ri, Qi, and C 2 = (r 2 , (^ 2 , are the two constraints comprising a pair, 
Qi n Q 2 7 ^ 0, and the marked intersection step is s G Qi fl Q 2 - As above, suppose 
steps in a constraint c, = (r^, Qj, are assigned to r* — 1 distinct users in vr U (T' —)■ u), 
(-i < \ci\ — 2, and the remaining qi = \ci\ — li > 2 steps in Qi must be assigned to a single 
user, i = 1,2. Moreover, suppose the step s G Qi fl Q 2 is unassigned in tt U (T' —)■ u). 
Then the qi unassigned steps in ci and the q 2 unassigned steps in C 2 must be assigned to 
the same single user u” in a later iteration. Furthermore, u” must be authorized for all the 
unassigned steps in ci and C 2 . If such a user u” is not available among the remaining users, 
or if any pair of the unassigned steps in Qi U Q 2 is the scope of some not-equals constraint, 
we discard the partial plan tt U (T' —)■ u) and its pattern. On the other hand, a user u" 
authorized for all the unassigned steps in a pair of intersecting at-most-r constraints is 
called super-useful and may be given priority to be used for the next iteration. 


3.4 Useless users 

Each iteration of the algorithm considers assigning some steps to a particular user u and 
constructs a set Pu of extended valid patterns and, respectively, a set n„ of partial plans 
that include this user u. The construction of Pu and If^ is based on patterns in the set P 
generated after the previous iterations, constraints in C, and the list of authorizations A{u) 
of u. Suppose n„/ is a set of plans in Algorithm [T] used for a later iteration, when another 
user u' is considered, and A{u') C A{u). Then, If^ = 0 implies fl^/ = 0, i.e. such a user u' 
can be disregarded later in the iteration. The reason for this is that any steps assigned to 
u' could instead be assigned to u. We justify this claim formally with the following result. 

Theorem 1. Suppose Algorithm\^ considers users in the order ui,U 2 , ■■■ ,Un to solve a 
WSP instance (S', U, A, C) with user-independent constraints C. Suppose also that If^- = 0 
for some user Ui (line 29), i>l, and a user Uj G {ui+i,... ,Un} has A{uj) C A{ui). Then 

n., = 0. 

Proof: Suppose for a contradiction that fl^^. 7 ^ 0. Then fl.^^. contains a valid partial plan 
TT : T —)■ {«!,... ,Uj} for some TPS. By definition of ■K~^{uj) 7 ^ 0, and n ^ P for 
any valid partial plan tt' : T —)■ {ui,... (as otherwise tt would not have been added 

to 

Let TTj be the plan vr restricted to {«!,...,«*}, i.e. tt* : T' —)■ {ui,... ,Ui}, where 
T' = 7 r“^({Mi,... ,Ui}). Clearly, tt^ is a valid partial plan that corresponds to a pattern p 
encoding the equivalence class L of tt^. Since = 0 in line 29 of Algorithm there is 
an authorized and eligible partial plan 7 rj_i G fl having the same pattern p as vr* that does 
not use the user Ui, i.e. 7 rj_i : T' —)■ {ui,... and 7 rj_i ~ TTj. 

Now let TTi+i be tt restricted to {uj+i,..., Uj}, i.e. vTj+i : T\T' —)■ {uj+i ,... ,Uj}, where 
the set of steps T' is the same as covered by vr* and 7 rj_i. Consider P = 7 rj_i U TTj+i. Since 
TT = TTj U TTj+i and Tii-i ~ TTj, we have that tt ~ P. It follows that P is eligible and, by 
construction, P is authorized. Therefore we have a valid partial plan P : T ^ {ui,... ,Uj} 
such that P n and P~^{ui) = 0. 


9 





Finally, let vr" be a plan obtained from vr' by reassigning all the steps assigned to Uj 
in vr' to the user Wj. Clearly, this is possible because A{uj) C A{ui). In other words, we 
respect authorizations in vr" and have = 0. Since vr" can 

be obtained from vr' by a permutation of two users, Ui and Uj, and all the constraints are 
user-independent, tt" is eligible and vr" ^ tt' ^ tt. 

Thus, we have a valid partial plan tt" : T ^ {mi, ..., Mj-i} such that vr" vr, a contra¬ 
diction. □ 


We say a user u' is useless for the current iteration if there exists a user u such that 
A[u') C A{u), u has been considered in iteration earlier, and IIu = 0 in line 29 of Algo¬ 
rithm [Tj Theorem [T] implies that, if we discover a useless user u' in Algorithni^ without 
loss of generality, we may assume that there are no steps assigned to this user u' in a 
hnal solution (a complete valid plan). One of the heuristic speed-ups we employ is to 
identify and ignore useless users (line 31). This is the only heuristic speed-up used in 
implementations of Algorithm [T] that has a deterministic nature and requires a proof of its 
correctness. 


3.5 Dynamic choice of users in iteration (useful users) 

In an effort to satisfy some of the at-most-r constraints and to reduce the number of unas¬ 
signed steps in partial plans as quickly as possible, useful or super-useful users identified 
during the propagation in line are used to perform the next iteration. The priority 


can be given, for example, to a useful user satisfying at least two at-most-r constraints 
independently, or the first detected super-useful user, or a super-useful user covering the 
largest number of steps in the corresponding at-most-r constraints, etc. The chosen useful 
user is moved to the beginning of the list of remaining users, and the list of remaining 


users is adjusted accordingly (line 37). This determines a dynamic ordering on the set 
of users through which the algorithm iterates. Depending on the choice of useful users, 
implementations of the FPT algorithm can behave very differently and competitively with 
respect to each other, making it difficult to select the best implementation among several 
possible choices. The implementation chosen for the experiments in Section]^ uses the hrst 
super-useful user detected during propagation, if such a user exists, and otherwise uses the 
hrst useful user detected. 


4 The WSP as a pseudo-Boolean SAT problem 

In this section we describe how the WSP with user-independent counting constraints can be 
encoded as a pseudo-Boolean SAT problem and prove correctness of the encoding. Wang 
and Li 1221 encoded their WSP instances as a pseudo-Boolean SAT problem and used a 
PB SAT solver (SAT4J) to solve them. Pseudo-Boolean SAT solvers are recognized as an 
efficient way to solve general constraint networks [16]. In their experiments, Wang and Li 
[22| considered not-equals constraints. They also considered a number of other constraints, 
which we do not use in our experimental work since they add little complexity to a WSP 
instance. In the experiments of Wang and Li, SAT4J solved all generated instances quite 
efficiently. 

We test SAT4J on a set of WSP instances of a different type, where SAT4J’s effec¬ 
tiveness and efficiency vary a lot. We show that our reduction to the PB SAT problem 
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and SAT4J can be still snccessfnlly applied to lightly-constrained instances, which are not 
likely to be unsatishable. We use not-equals constraints as well as at-most-r and at-least-r 
constraints. For convenience and by an abuse of notation, given a constraint c of the form 
(r, Q, or (r, Q, ^), we will write s G c to denote that s E Q, and dehne |c| to be |Q|. 

An authorization list for a step s is a set of users authorized to perform s and is denoted 
by A(s) = {u E U : s E A{u)}. We encode such constraints in the same way as Wang 
and Li |22], by dehning a binary variable Xu,s for every pair (u, s) such that u is authorized 
for s. That is, a variable Xu^s is dehned if and only if s G A{u). In addition, for each at- 
least-r constraint c and user u, we introduce a ( 0 ,l)-variable Zu,ci and, for each at-most-r 
constraint c and user u, we introduce a (0,l)-variable yu,c- These variables are subject to 
the following constraints: 

(FBI) for each step s: 

(PB2) for each not-equals constraint (s, t, 7 ^) and user u E A(s) fl A{t): Xu,s + Xu,t ^ 1; 
(PBS) for each at-least-r constraint c and user u: Zu,c ^ 'l2s&A{u)nc^u,s', 

(PB4) for each at-least-r constraint c: Yhu&u ^ 

(PBS) for each at-most-r constraint c, s E c, and u E A(s): Xu,s ^ 2/«,c; 

(PB 6 ) for each at-most-r constraint c: ^ 

The goal of a PB SAT solver is to hnd an assignment of values to these variables, 
representing a plan, where Xu,s = 1 if and only if user u is assigned to step s. Informally, 
(PBl) ensures that each step is assigned to a single user; (PB2) ensures that ah not- 
equals constraints are satished; (PBS) and (PB4) ensure that ah at-least-r constraints are 
satished; and (PBS) and (PB 6 ) ensure that ah at-most-r constraints are satished. 

Theorem 2. A WSP instance with not-equals, at-most-r and at-least-r constraints has a 
solution if and only if the corresponding pseudo-Boolean SAT problem (PB1)-(PB6) has a 
solution. 

Proof: Suppose hrst that our WSP instance with not-equals, at-most-r, and at-least-r 
constraints has a solution. Then set Xu,s = 1 if n is assigned to s in the WSP solution 
(noting that Xu,s is dehned, as u must be authorized for s), and set Xu^s = 0 otherwise. 
For each at-least-r conststraint c, let Zu,c = 1 if and only if u is assigned to a step in c. 
Similarly, for each at-most-r constraint c, let yu,c = 1 if and only if u is assigned to a step 
in c. It is easy to see that this assignment of (0, l)-values to variables Xu,s,Zu,c, and yu,c 
satishes all of the pseudo-Boolean constraints in (PB1)-(PB6). 

Conversely, suppose our pseudo-Boolean SAT problem (PB1)-(PB6) has a solution. By 
the hrst set of PB constraints, for each step s there exists a unique user u such that Xu,s = 1- 
Consider the solution to the WSP in which each step s is assigned to the unique u such 
that Xu,s = 1- As Xu,s is only dehned for authorized pairs (m,s), this solution only assigns 
users to steps for which they are authorized. We now show that this solution satishes ah 
the constraints in the WSP instance. 

For an inequality constraint (s,f, 7 ^), we have that, for each user u, either u is not 
authorized for at least one of s and t, or Xu,s + Xu,t ^ 1. It follows that no user performs 
more than one of s and t, so the corresponding not-equals constraint is satished. 
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For an at-least-r constraint c, the satisfied ineqnality in (PB4) gnarantees that at least 
r of variables Zu,c, u ^ U, are set eqnal to 1. Observe that Zu,c = 1 implies that u performs 
a step in c: since Zu,c ^ (PB3), it mnst be the case that Xu,s = 1 for some 

s G A(u) n c. Thns, as we have Yhu&u ^ h follows that there are at least r nsers 
that perform a step in c, and so c is satisfied. 

For each at-most-r constraint c, the eqnalities in (FBI) imply that for each s G c, there 
exists u G 74(s) snch that Xu,s = 1, i-e. s is performed by a certain anthorized nser u. Since 
the ineqnalities in (PBS) are satisfied, Xu,s ^ yu,c implies yu,c = 1 for that particnlar nser 
u. Thns, yu,c = 1 for every nser u that performs at least one step in c. Since the ineqnality 
in (PB6) is satisfied, at most r nsers perform a step in c, and so c is satisfied. □ 


5 Experiments 

Dne to the difficnlty of acqniring real-world workflow instances, Wang and Li |22] nsed syn¬ 
thetic data in their experimental stndy. We follow a similar approach to test experimentally 
the FPT algorithm and the rednction to the PB SAT problem. We nse C-I--I- to implement 
the FPT algorithm and to encode the rednction for the WSP with nser-independent connt- 
ing constraints]^ We generate a nnmber of random WSP instances with not-eqnals and 
connting constraints and compare the performance of one of onr implementations of the 
FPT algorithm with that of SAT4J on the rednction when solving the same instances. All 
onr experiments nse a MacBook Pro compnter having a 2.6 GHz Intel Core i5 processor, 
8 GB 1600 MHz DDRS RAA0 and rnnning Mac OS X 10.9.5. More experimental test 
resnlts of earlier versions and implementations of this FPT algorithm and the rednction to 
the PB SAT problem nsing SAT4J can be fonnd in [6j. 

5.1 Testbed Design 

An anthorization list for a step s G S' is a set of nsers A(s) G U, anthorized to perform s. 
The set of anthorization lists {A(s) : s G S'} can be thonght of as {A{u) : n G t/}, where 
A{u) = {s G S' : M G A(s)}. We assnmed that every nser was anthorized for at least one 
step bnt no more than [I) steps; that is, 1 ^ |A(m)| ^ I"!]. 

All constraints are of the form not-eqnals, at-most-r, or at-least r, where r is some 
small nnmber. The not-eqnals constraints have domain of size 2, while the at-most-r and 
at-least r constraints have domain of size t, where t is some nnmber bigger than r. 

We vary the nnmber of not-eqnals constraints as a percentage d of ( 2 ), the maximnm 
possible nnmber of these constraints. For these experiments, we nse the same nnmber 
of at-most-r constraints as the nnmber of at-least-r constraints, denoted by b. All not- 
eqnals, at-most-r, at-least-r constraints and anthorizations are generated for each instance 
separately, nniformly at random]^ 

Connting at-most-r and at-least-r constraints are generated by first ennmerating all pos¬ 
sible t-element snbsets of S nsing an algorithm from Reingold et al. [12]. Then Dnrstenfeld’s 

^ We would like to emphasize that even though the constraints considered in the theoretical part of Wang 
and Li’s paper are purely user-independent, the authors consider randomly generated relations between 
users for their experiments. Therefore the experimental tests in [22j are done not in a user-independent 
environment. 

^Our computer is more powerful than the one used by Wang and Li |22j . 

^This experimental setup is different from the one used in our earlier work |^. 
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version of the Fisher-Yates random shuffle algorithm [121 OS] is used to select separately and 
independently at random t-element subsets of S for the scopes of at-most-r and at-least-r 
constraints, b subsets for each. The random shuffle algorithm is also used to select steps in 
A{u) for which each user u is authorized, and the list of authorization sets {A{u) : u & U} 
is generated uniformly at random, subject to the cardinality constraints 1 ^ ^ Til- 

Finally, the random shuffle is used to randomly select not-equals constraints, taking d% of 
the set of all possible not-equals constraints. 

5.2 Testbed Choice 

For the experiments, we wanted to use WSP instances that were both simple and chal¬ 
lenging to solve, and close to what might be actually expected in practice. Therefore, 
we restricted our attention to counting constraints with r = 3 and t = 5, calling them 
at-most-3 and at-least-3 constraints, respectively. The rationale behind this is as follows. 
From our ad hoc experiments, at-most-r and at-least-r constraints with r = 1 or 2 make 
the problem instances easily solvable by both SAT4J and the FPT algorithm. On the other 
hand, at-most-r or at-least-r constraints with r ^ 4 are not likely to appear in practice. 
Similarly, at-most-r and at-least-r constraints with f ^ 4 appeared to provide relatively 
easy solvable WSP instances, and f ^ 6 seems to be less likely to appear in practice. 
Therefore, for simplicity and to keep the things challenging and realistic enough at the 
same time, the choice of r = 3 and |c| = 5 seems to be well justihed. Increasing r and t 
and keeping them close to each other seem to provide more challenging instances, which 
are left out of the scope of this paper. On the other hand, smaller values of r and t, or a 
larger difference between them, seem to create WSP instances instances whose satisfiability 
is easier to decide. 

Based on what might be expected in practice, we used values of k = 15, 20, 25 for 
the number of steps, and set n = 10k for the number of usersj^ For the percentage d of 
not-equals constraints (out of the ( 2 ) possible not-equals constraints), we used values of 
d= 10,20,30(%). 

For convenience, we adopt the following convention to label our test instances: b.d 
denotes an instance with b at-most-3 constraints, b at-least-3 constraints, and not-equals 
constraint density d (e.g., see Tables and |^ . 

Considering b and d as parameters, we try to explore an area where both satisfiable 
(sat) and unsatisfiable (unsat) instances of the WSP are relatively likely to occur. Starting 
with instances having not too many not-equals constraints, informally, we expect that the 
difficulty of solving instances b.d for fixed k and b would increase as d increases (as the 
problem becomes “more constrained”). Similarly, for fixed k and d, we expect instances b.d 
would become harder to solve as b increases. We also expect that the time taken to solve 
an instance would depend on whether the instance is satishable or not, with unsatisfiable 
instances requiring a solver to examine all possible plans (or to provide a certihcate of their 
unsatisfiability). 

We generate a set of instances of different degrees of hardness by varying the not- 
equals constraint density and the number of counting constraints. The resulting set of 
test instances includes some that are satisfiable with a relatively high diversity w of their 

^Schaad et al. investigated several case studies in which authorization constraints were relevant, includ¬ 
ing a loan origination process in a bank |21j and the creation of electronic signatures in a law practice |20j . 
These two business processes used 13 and 12 steps, respectively. 
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search space (“lightly-constrained”), and some that are either satishable with a relatively 
low diversity w or are unsatishable (“well-constrained”). For each number of steps, k = 
15,20,25, and three different constraint densities, d = 10,20,30(%), to determine the 
range of values for b (which is dependent on k), we start with instances that seem to be 
lightly-constrained and normally can be efficiently solved by SAT4J. We then gradually 
increment b in steps by 2 and generate more instances. We stop generating instances when 
we hnd two consecutive values of b for which no instances are satishable. The minimum 
and maximum values of b used in the experiments to generate Tables [T]-[^ correspond to 
instances that we view as borderline. In other words, we start with instances that are likely 
to be lightly-constrained and stop at instances which are likely to be well-constrained as 
the corresponding three instances for the same values of k and b are unsatishable. For the 
test instances in this paper, b ranges from 2 to 32 for k = 15, from 10 to 38 for k = 20, and 
from 22 to 36 for k = 25, respectively. The interested reader is referred to [6] for further 
details about possible selection of parameters for test instances. 

5.3 Results 

In the experiments we compare the run-times and performance of an implementation of our 
FPT algorithm, called Solver FPT, and of SAT4J on the reduction to the PB SAT problem 
(described in Section]^, referred to as Solver SAT4J- Overall, Solver FPT was able to solve 
all the 117 test instances, while Solver SAT4J solved only 100 of them (85.5%). See Table 
for overall statistics: the corresponding numbers of unsolved instances are in parenthesis. 
For average time values, we assume that the running time on the unsolved instances can 
be considered as a lower bound on the time required to solve them. Therefore average 
time values in Table take into consideration unsolved instances for Solver SAT4J: they 
are estimated lower bounds on its average time performance. 


Table 1: Summary statistics for k G {15,20,25} 



Solver SAT4J 

Solver FPT 

#Steps 

Interval for b 

Instance Type 

^Instances 

Mean Time (s) 

^Instances 

Mean Time (s) 

15 

2 < 6 < 32 

sat 

26 

1.25 

26 

0.74 



unsat 

22 

327.84 

22 

0.32 



all 

48 

150.94 

48 

0.55 

20 

10 < 6 < 38 

sat 

18 

38.04 

18 

20.77 



unsat 

21(6) 

1,096.21 

27 

20.43 



all 

39(6) 

672.94 

45 

20.56 

25 

22 < 6 < 36 

sat 

5(2) 

913.02 

7 

3,173.99 



unsat 

8(9) 

1,724.44 

17 

845.41 



all 

13(11) 

1,487.78 

24 

1,524.58 


For the number k of steps equal to 15, in general, although SAT4J was able to solve 
all the instances. Solver FPT was several hundred times more efficient than SAT4J, with a 
much lower standard deviation in time performance (0.98 sec versus 293.1 sec, respectively). 
However, for lightly-constrained instances (6 = 2 and 4), Solver SAT4J was usually about 
one order of magnitude more efficient than Solver FPT. Nevertheless, both solvers solved 
the WSP instances in seconds or tenth of seconds, and so Solver FPT could be successfully 
used for these kind of lightly-constrained instances as well. Overall, average performance 
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and time variance of both solvers on satisfiable instances was similar, with Solver FPT 
having a small advantage. For nnsatishable instances, Solver FPT appeared to be abont 
three orders of magnitude more efficient than SAT4J. Since we do not know in advance 
whether a given instance is satisfiable or not. Solver FPT can be considered as clearly 
superior, and should be applied to instances with b >6, while Solver SAT4J seems to be a 
better choice when b < 5. Also, for small values of b {b < 10), SAT4J seems to be slightly 
more efficient for lower densities of not-equals constraints, d < 10%. 


For the number k of steps equal to 20 and 25, we provide Tables and respectively, 
which give detailed results of our experiments, and Figures [T] and respectively, depicting 
the results graphically. Notice that Solver FPT reaches a conclusive decision (sat or unsat) 
in all cases, whereas SAT4J fails to reach such a decision for some instances, typically 
because the machine runs out of memory. In Figures and the shaded circles represent 
the instances unsolved by SAT4J. In Tables and we record the outcomes and CPU 
time taken by the two solvers to run on each instance. The best running time for each 
instance is in bold. Auxiliary information for Solver FPT includes the number of users 
considered and the number of patterns in the search space (a measure of the diversity w 
of the instance) generated before a valid plan was obtained or the instance was recognized 
as nnsatishable. Also, for unsat instances, we show the number of users that could not 
extend the set of patterns in line [M| of Algorithm [^(i.e., for such users u, Pu = ^ in line 29) 
and, respectively, the number of useless users whose authorization lists are dominated 
by those users. We use notation n : ^ where n is the total number of users. 


FPT algorithm vs SAT4J Performance 



Instance ID 


Figure 1: Test results for k = 20 steps 

For k = 20 steps. Solver FPT successfully solved all 45 test instances, but Solver 
SAT4J failed to reach a conclusive decision for 6 of the instances (13.3%), all 6 being 
nnsatishable (as determined by Solver FPT). For small values of b or d, corresponding 
to lightly-constrained instances, SAT4J usually performs better than Solver FPT. This is 
unsurprising, because the diversity w of such instances is much higher, thereby increasing 
the running time of Algorithm However, for larger values of 6 or d (where the diversity is 


15 






































Table 2: Experimental test results for /c = 20 


Solver SAT4J 

Solver FPT 

Instance ID 

Output 

CPU Time (s) 

Output 

CPU Time (s) 

#Users 

^Patterns 

10.10 

sat 

0.58 

sat 

28.18 


6 

2,286,676 

10.20 

sat 

1.29 

sat 

16.46 


7 

497,634 

10.30 

sat 

1.55 

sat 

15.07 


17 

177,426 

12.10 

sat 

0.53 

sat 

11.15 


5 

816,017 

12.20 

sat 

1.73 

sat 

26.21 


8 

1,081,988 

12.30 

unsat 

334.11 

unsat 

124.97 

200 

71^68 

358,731 

14.10 

sat 

0.77 

sat 

21.85 


8 

711,168 

14.20 

sat 

3.25 

sat 

21.07 


23 

155,345 

14.30 

sat 

26.33 

sat 

3.36 


21 

33,427 

16.10 

sat 

0.50 

sat 

12.06 


6 

435,640 

16.20 

sat 

3.41 

sat 

12.97 


17 

125,409 

16.30 

unknown 

2,732.93 

unsat 

28.76 

200 

72^64 

45,918 

18.10 

sat 

0.86 

sat 

74.10 


21 

460,550 

18.20 

unsat 

677.83 

unsat 

22.38 

200 

67^56 

30,431 

18.30 

unsat 

419.98 

unsat 

37.89 

200 

71^60 

64,990 

20.10 

sat 

1.39 

sat 

26.58 


14 

118,920 

20.20 

unknown 

2,955.35 

unsat 

28.26 

200 

58^51 

36,710 

20.30 

unsat 

58.99 

unsat 

7.48 

200 

80^51 

10,049 

22.10 

sat 

12.42 

sat 

6.61 


12 

45,011 

22.20 

unsat 

1,720.84 

unsat 

31.36 

200 

61^57 

22,140 

22.30 

unsat 

93.60 

unsat 

9.67 

200 

75^64 

13,925 

24.10 

sat 

18.43 

sat 

8.71 


18 

35,563 

24.20 

unknown 

2,957.03 

unsat 

16.12 

200 

65^48 

15,497 

24.30 

unsat 

103.70 

unsat 

8.01 

200 

69^58 

7,033 

26.10 

sat 

22.63 

sat 

25.49 


32 

54,792 

26.20 

unsat 

1,931.69 

unsat 

10.80 

200 

66^52 

10,848 

26.30 

unsat 

494.26 

unsat 

5.04 

200 

75^61 

4,289 

28.10 

sat 

113.78 

sat 

38.68 


48 

49,115 

28.20 

unsat 

974.26 

unsat 

23.96 

200 

71^43 

17,371 

28.30 

unsat 

457.82 

unsat 

4.65 

200 

76^60 

3,799 

30.10 

unknown 

2,834.44 

unsat 

91.84 

200 

50^45 

57,585 

30.20 

unsat 

1,007.06 

unsat 

10.73 

200 

63^56 

10,095 

30.30 

unsat 

470.43 

unsat 

3.27 

200 

83^56 

2,568 

32.10 

sat 

413.85 

sat 

17.29 


43 

19,008 

32.20 

unsat 

361.16 

unsat 

11.26 

200 

59^69 

11,292 

32.30 

unsat 

148.69 

unsat 

2.57 

200 

71^72 

2,202 

34.10 

sat 

61.41 

sat 

7.97 


22 

22,756 

34.20 

unsat 

192.02 

unsat 

4.74 

200 

60^53 

3,982 

34.30 

unsat 

1,416.92 

unsat 

2.88 

200 

75^55 

2,294 

36.10 

unknown 

3,316.51 

unsat 

30.17 

200 

54^54 

18,460 

36.20 

unsat 

634.06 

unsat 

6.98 

200 

53^62 

5,249 

36.30 

unsat 

107.73 

unsat 

2.08 

200 

83^59 

1,740 

38.10 

unknown 

2,307.16 

unsat 

18.69 

200 

59^42 

14,255 

38.20 

unsat 

235.11 

unsat 

4.57 

200 

73^55 

3,821 

38.30 

unsat 

654.09 

unsat 

2.44 

200 

79^51 

1,785 
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Table 3: Experimental test results for k = 25 


1 Solver SAT4J 

Solver FPT 

Instance ID 

Output 

CPU Time (s) 

Output 

CPU Time (s) 

#Users 

^Patterns 

22.10 

sat 

39.38 

sat 

2,989.47 


23 

5,892,335 

22.20 

sat 

107.45 

sat 

2,985.02 


75 

1,413,105 

22.30 

unsat 

380.64 

unsat 

697.76 

250 

84^68 

243,780 

24.10 

sat 

29.38 

sat 

1,317.98 


14 

4,547,403 

24.20 

unknown 

2,366.72 

unsat 

1,041.61 

250 

89^41 

306,664 

24.30 

unsat 

734.43 

unsat 

530.52 

250 

87^68 

166,905 

26.10 

unknown 

2,902.77 

sat 

9,624.71 


95 

3,651,747 

26.20 

unknown 

2,629.04 

unsat 

1,892.92 

250 

78^47 

447,506 

26.30 

unsat 

606.36 

unsat 

343.73 

250 

86^56 

85,438 

28.10 

sat 

359.67 

sat 

3,200.61 


44 

1,914,685 

28.20 

unknown 

2,900.17 

unsat 

1,190.27 

250 

86^54 

294,422 

28.30 

unsat 

157.78 

unsat 

259.69 

250 

88^61 

62,806 

30.10 

unknown 

2,787.75 

sat 

1,628.47 


29 

1,354,688 

30.20 

unknown 

3,193.69 

unsat 

1,367.66 

250 

74^49 

330,524 

30.30 

unsat 

753.05 

unsat 

147.00 

250 

91^65 

37,563 

32.10 

sat 

164.75 

sat 

471.68 


14 

811,118 

32.20 

unknown 

2,294.51 

unsat 

391.75 

250 

75^55 

101,370 

32.30 

unsat 

351.33 

unsat 

142.21 

250 

89^65 

34,466 

34.10 

unknown 

3,510.65 

unsat 

3,489.42 

250 

64^40 

800,535 

34.20 

unknown 

2,155.26 

unsat 

400.66 

250 

83^55 

109,214 

34.30 

unsat 

576.72 

unsat 

94.54 

250 

90^67 

19,242 

36.10 

unknown 

3,482.64 

unsat 

1,960.90 

250 

65^53 

489,635 

36.20 

unknown 

2,935.06 

unsat 

353.27 

250 

73^50 

89,912 

36.30 

unsat 

287.47 

unsat 

68.07 

250 

97^59 

13,848 


much lower), the FPT algorithm clearly outperforms SAT4J. Also, Figure [^clearly shows 
that the running time of Solver SAT4J varies much more than that of Solver FPT, with 
the unsolved instances having running times larger than those of any solved instances. In 
contrast. Solver FPT shows a very stable time performance. Solver SAT4J seems to be 
better to use when 6 < 10, or 6 < 16 and d < 20%, or 6 < 20 and d < 10%. 

For k = 25 steps. Solver FPT reached a conclusive decision (satishable or unsatishable) 
for all the 24 test instances. In contrast, SAT4J failed to solve 11 of the instances (45.8%), 
two of which were reported to be satishable and nine of which were reported to be unsatish¬ 
able by Solver FPT. Again, for smaller values of b or d, corresponding to lightly constrained 
instances, SAT4J generally performs better than Solver FPT. However, for larger values 
of b or d, SAT4J starts to fail quite often and is not able to provide a solution. At the 
same time, our FPT algorithm clearly starts to outperform SAT4J because the diversity 
w of such instances is much lower. Figure shows that, for 25 steps, the running time of 
Solver SAT4J varies similarly to the running time of Solver FPT, with an outlier instance 
at 6 = 26 and d = 10% (satishable). However, SAT4J is unable to solve almost half of the 
instances, with the unsolved instances again having running times higher than any solved 
instances. Solver SAT4J seems to be better to use when b < 22, or 6 < 24 and d < 10%, 
or when an instance is highly suspected to be satishable. 
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Figure 2: Test results for k = 25 steps 


5.3.1 Summary 

Table [T] above presents summary statistics for the experiments overall. From Tables 
and and the low running time variance for k = 15, it can be observed that the average 
running times of Solver FPT are of a similar order of magnitude, whether the instances are 
satisfiable or unsatishable. The set of running times for Solver FPT in Table whether 
the instance is satishable or unsatishable, also has relatively low variance. In contrast, 
the mean running times of SAT4J vary signihcantly depending on whether the instance is 
satishable or not. As the number k of steps increases, SAT4J fails more frequently, and is 
unable to reach a conclusive decision for almost half of the instances when k = 25. This 
is unsurprising, given that the number of PB SAT variables will grow quadratically as k 
and n = 10/c increase. However, in time performance for satishable instances, the picture 
is often more favourable to SAT4J: this may be explained by some heuristics deployed 
to solve relatively easy satishable instances. Overall, for larger values of k, the average 
run-time advantage of the FPT algorithm over SAT4J decreases, but the relative number 
of instances solved by SAT4J decreases as well. 

The tables also exhibit the expected correlation between the running time of our FPT 
algorithm and two numbers: the number of patterns generated by the algorithm and the 
number of users considered, which, in turn, is related to the number of constraints and 
constraint density. For well-constrained instances, the FPT algorithm has to consider far 
fewer patterns, and this more than ohsets the fact that we may have to consider every user 
(for those cases that are unsatishable). 

It is interesting to note the way in which the mean running time t varies with the 
number of steps. In particular, t for our algorithm grows exponentially with k (with strong 
correlation between k and logt), which is consistent with the theoretical running time of 
our algorithm (0*(2^^°®^)). The running time of SAT4J is also dependent on k, with a 
strong correlation between k and logf, which is consistent with the fact that there are 
0{n^) possible plans to consider. However, it is clear that the running time of SAT4J 
is also more dependent on the number of variables (determined by the number of users. 
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authorizations, and constraints), than it is on fc, unlike the running time of our algorithm. 


6 Concluding Remarks 

In this paper, we described our implementation of an FPT algorithm designed to solve a 
specihc NP-hard problem known as the workflow satishability problem (WSP) for user- 
independent counting constraints. In theory, there exists an algorithm that can solve the 
WSP for user-independent constraints in time in the worst case. However, the 

WSP is a practical problem with applications in the design of workflows and the design of 
access control mechanisms for workflow systems [U]. Thus, it is essential to demonstrate 
that theoretical advantages can be realised in practice. 

Accordingly, we have developed several implementations using the generic FPT algo¬ 
rithm as a starting point. In developing the implementations, it became apparent that 
several application-specihc heuristic improvements could be made. In particular, we de¬ 
veloped specihc types of propagation and pruning techniques for counting at-most-r and 
at-least-r constraints. Following general techniques described in Section and in [7j, it 
should be possible to generalize and implement efficiently most of the ideas used in Algo¬ 
rithm [T] to solve the WSP with other types of user-independent constraints. 

We compared the performance of our algorithm with that of SAT4J—an “off-the-shelf” 
PB SAT solver. In order to perform this comparison, we extended Wang and Li’s encoding 
of the WSP as a pseudo-Boolean satishability problem [22] • The results of our experiments 
suggest that our algorithm does, indeed, have an advantage over SAT4J when solving 
the WSP, although this advantage does not extend to lightly constrained instances of 
the problem. The results also suggest that those advantages could be attributed to the 
structure of our algorithm, with its focus on the small parameter (in this case, the number 
of workhow steps). 

The encodings of plans presented in this paper grouped plans together based on which 
steps they assigned to the same user. For counting constraints, it would also be possible to 
group plans together based on how many users are assigned to the steps in each constraint. 
It may be worth investigating algorithms based on this encoding of plans in future. 

We plan to continue working on algorithm engineering for the WSP. In particular, we 
plan to continue developing ideas presented in this paper and in [7] to develop efficient 
implementations and modihed versions of this FPT algorithm. We hope to obtain a more 
efficient implementation than the one presented in this paper. We also plan to try different 
experimental setups. For example, in this paper, we have used a uniform random distri¬ 
bution of authorizations to users with an upper bound at 50% of the number of steps for 
which any one user can be authorized. In some practical situations, a few users are au¬ 
thorized for many more steps than others. We have only considered counting constraints, 
rather than a range of user-independent constraints. In some ways, imposing these con¬ 
straints enables us to make meaningful comparisons between the two different algorithmic 
approaches. However, we would like to undertake more extensive study and testing to 
conhrm that the initial results obtained for this particular family of WSP instances can be 
extended to other types of WSP. 

Results and ideas presented in this paper can serve as a benchmark for further devel¬ 
opments in algorithm engineering to solve the workflow satishability problem with user- 
independent constraints and to design their experimental testing. 
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